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Abstract 

We show a Birthday Paradox for self-intersections of Markov chains with uniform stationary 
distribution. As an application, we analyze Pollard's Rho algorithm for finding the discrete 
logarithm in a cyclic group G and find that, if the partition in the algorithm is given by a 
random oracle, then with high probability a collision occurs in 6(-\/|C?|) steps. This is the 
first proof of the correct order bound which does not assume that every step of the algorithm 
produces an i.i.d. sample from G. 

1 Introduction 

The Birthday Paradox states that if C^/N items are sampled uniformly at random, with replace- 
ment, from a set of N items, then for large C, with high probability some item will be chosen 
twice. This can be interpreted as a statement that with high probability, a Markov chain on the 
complete graph Ki\j with transitions P{i,j) = 1/N will intersect its past in C\fN steps; we refer 
to such a self-intersection as a collision^ and say the "collision time" is 0{\n^). In this was 
generalized: for a general Markov chain, the collision time was bounded by 0{^/N Tg (1/2)) , where 
Ts(e) = min{n : Vu, u G V, P^{u,v) > (1 — e)7r(v)} measures the time required for the n-step 
distribution to assign every state a suitable multiple of its stationary probability. In , the bound 
on collision time was improved to 0{y/NTs{l/2)). 

The motivation of ||8|, |5| was to study the collision time for a Markov chain involved in Pollard's 
Rho algorithm for finding the discrete logarithm on a cyclic group G of prime order = |G| 7^ 2. 
For this walk Ts(l/2) = J7(logA) and so the results of ||8|, |5| are insufficient to show the widely 
believed 0(\/]V) collision time for this walk. In this paper we improve upon these bounds and 
show that if a finite ergodic Markov chain has uniform stationary distribution over N states, then 
0{VN) steps suffice for a collision to occur, as long as the relative-pointwise distance (Loo of the 
densities of the current and the stationary distribution) drops steadily early in the random walk; it 
turns out that the precise mixing time is largely, although not entirely, unimportant. See Theorem 
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|3.1| for a precise statement. This is then apphed to the Rho walk to give the first proof of collision 
in e{y/N) steps. 

We note here that it is also well known (see e.g. [||], Section 4.1) that a sample of length L from 
a Markov chain is roughly equivalent to LX samples from the stationary measure (of the Markov 
chain) for the purpose of sampling, where A is the spectral gap of the chain. This yields another 
estimate on collision time for a Markov chain, which is also of a multiplicative nature (namely, \/iV 
times a function of the mixing time) as in [^, |5| . A main point of the present work is to establish 
sufficient criteria under which the collision time has an additive bound: C^/N plus an estimate on 
the mixing time. While the Rho algorithm provided the main motivation for the present work, we 
find the more general Birthday paradox result to be of independent interest, and as such expect to 
have other applications in the future. 

A bit of detail about the Pollard Rho algorithm is in order. The classical discrete logarithm 
problem on a cyclic group deals with computing the exponents, given the generator of the group; 
more precisely, given a generator g oi a, cyclic group G and an element h = g^, one would like to 
compute X efficiently. Due to its presumed computational difficulty, the problem figures prominently 
in various cryptosystems, including the Diffie-Hellman key exchange. El Gamal system, and elliptic 
curve cryptosystems. About 30 years ago, J.M. Pollard suggested algorithms to help solve both 



factoring large integers |]ll| and the discrete logarithm problem [12|. While the algorithms are of 
much interest in computational number theory and cryptography, there has been little work on 
rigorous analysis. We refer the reader to and other existing literature (e.g., [0, |2|) for further 
cryptographic and number-theoretical motivation for the discrete logarithm problem. 

A standard variant of the classical Pollard Rho algorithm for finding discrete logarithms can 
be described using a Markov chain on a cyclic group G. While there has been no rigorous proof 
of rapid mixing of this Markov chain of order 0(log^ \ G\) until recently. Miller- Venkatesan 1^ gave 
a proof of mixing of order 0(log^ \G\) steps and collision time of 0{y^jG\log^ \G\), and Kim et al. 
1^] showed mixing of order 0(log |G| loglog|G|) and collision time of 0(y^|G| log |G| loglog|G|). 
In this paper we give the first proof of the correct 0(\/|G|) collision time. By recent results of 
Miller- Venkatesan this collision will be non-degenerate with probability 1 — o(l) for almost every 
prime order if the start point of the algorithm is chosen at random or if there is no collision in 
the first 0(log|G| loglog|G|) steps. 

The paper proceeds as follows. Section § contains some preliminaries; primarily an introduction 
to the Pollard Rho Algorithm, and a simple multiplicative bound on the collision time in terms of 
the mixing time. The more general Birthday Paradox for Markov chains with uniform stationary 
distribution is shown in Section ^. In Section |^ we bound the appropriate constants for the Rho 
walk and show the optimal collision time. We finish in Section ^ with a few comments on the 
sharpness of our result. 



2 Preliminaries 



Our intent in generalizing the Birthday Paradox was to bound the collision time of the Pollard Rho 
algorithm for Discrete Logarithm. As such, we briefly introduce the algorithm here. Throughout 
the analysis in the following sections, we assume that the size N = \G\ of the cyclic group on which 
the random walk is performed is odd. Indeed there is a standard reduction - see |13] for a very 
readable account and also a classical reference [10] - justifying the fact that it suffices to study the 
discrete logarithm problem on cyclic groups of prime order. 
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Suppose g is a generator of G, that is G = {g^}^^^ ■ Given h ^ G, the discrete logarithm 
problem asks us to find x such that g^ = h. Pollard suggested an algorithm on Z]^ based on a 
random walk and the Birthday Paradox. A common extension of his idea to groups of prime order 
is to start with a partition of G into sets Si, S2, S3 of roughly equal sizes, and define an iterating 
function F : G — > G by F{y) = gy y £ Si, F{y) = hy = g^y if y G 5*2, and F{y) = y"^ if 
y G S3. Then consider the walk y^+i = F(yi). If this walk passes through the same state twice, say 
ga+xb _ ga+x/3 ^ then g"--"' = g^iP-^) and so a — a = x{j3 — b) mod N and x = {a — a){/3 — b)~^ 
mod A^, which determines x as long as {(5 — b, N) = 1. Hence, if we define a collision to be the event 
that the walk passes over the same group element twice, then the first time there is a collision it 
might be possible to determine the discrete logarithm. 

To estimate the running time until a collision, one heuristic is to treat F as if it outputs uniformly 
random group elements. By the Birthday Paradox if 0{-sJ\G\) group elements are chosen uniformly 
at random, then there is a high probability that two of these are the same. Teske |16[ | has given 
experimental evidence that the time until a collision is slower than what would be expected by an 
independent uniform random process. We analyze instead the actual Markov chain in which it is 
assumed only that each y G G is assigned independently and at random to a partition 5*1, ^2 or 
5*3. In this case, although the iterating function F described earlier is deterministic, because the 
partition of G was randomly chosen then the walk is equivalent to a Markov chain (i.e. a random 
walk), at least until the walk visits a previously visited state and a collision occurs. The problem 
is then one of considering a walk on the exponent of g, that is a walk P on the cycle Zat with 
transitions P{u, n + 1) = P{u, u + x) = P{u, 2u) = 1/3. 

Remark 2.1. By assuming each y G G is assigned independently and at random to a partition we 
have eliminated one of the key features of the Pollard Rho algorithm, space efficiency. However, 
if the partitions are given by a hash function / : [G,N) — > {1,2,3} which is sufficiently pseudo- 
random then we might expect behavior similar to the model with random partitions. 

Remark 2.2. While we are studying the time until a collision occurs, there is no guarantee that 
the first collision will be non-degenerate. If the first collision is degenerate then so also will be all 
collisions, as the algorithm becomes deterministic after the first collision. 

As mentioned in the introduction, we first recall a simple multiplicative bound on collision time 
from ll). The following proposition relates T<j(l/2) to the time until a collision occurs for any 
Markov chain P with uniform distribution on G as the stationary distribution. 

Proposition 2.3. With the above definitions, a collision occurs after 



are the same then a collision has occurred, so assume all states are distinct. Even if we only check 
for collisions every T<j(l/2) steps, the chance that no collision occurs in the next tTs{l/2) steps (so 
consider t semi-random states) is then at most 



1 + r,(l/2) + 2 V2c|G|r,(l/2) 



steps, with probability at least \ — e ^, for any c > 0. 



Proof. Let S denote the first y^2c |G| Ts{'V/2) states visited by the walk. If two of these states 
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When t 



2c|G| 
^41/2) 



, this is at most e ^, as desired, and so at most 
V2c|G|r,(l/2) 



+ 



2c\G\ 



Ts{l/2) 



Ts{l/2) 

steps are required for a colhsion to occur with probabihty at least 1 — e~ 



□ 



Obtaining a more refined additive bound on colhsion time will be the focus of the next section. 
While the proof can be seen as another application of the well-known second moment method, it 
turns out that bounding the second moment of the number of collisions before the mixing time is 
somewhat subtle. To handle this, we use an idea from [^, who in turn credit their line of calculation 
to i. 



3 Collision Time 

Consider a finite ergodic Markov chain P with uniform stationary distribution (i.e. doubly stochas- 
tic), state space of cardinality = and let Xq,Xi, ■ ■ ■ denote a particular instance of the 
walk. In this section we determine the number of steps of the walk required to have a high proba- 
bility that a "collision" has occurred, i.e. a self-intersection Xi = Xj for some i ^ j. 
First, some notation. Fix some T > 0. Define 

i=0 j=i+2T 

to be the number of times the walk intersects itself in j3^/N + 2T steps, where i and j are at least 
2T steps apart. Also, for u,v gQ, let 

T 

i=0 

be the expected number of times a walk beginning at u hits state f in T steps. Finally, let 
^T = max> Gjifn, and A^ = max> Gj^(v,u) . 

V V 

To see the connection between these and the collision time, observe that 

V V i=0 j=0 

T T 

i=0 j=0 V 
T T 

T T T 
i=0 j=0 i,j=0 
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where {^j}, {Yj} are i.i.d. copies of the chain, both having started at u at time 0. Hence At is the 
maximal expected number of colhsions of two T-step i.i.d. walks of P starting at the same state u, 



while is the same for P* . 



The main result of this section is the following. 



Theorem 3.1 (Birthday Paradox for Markov chains). Consider a finite ergodic Markov chain with 
uniform stationary distribution on a state space of N vertices. Let T be such that ^ < P'^{u,v) < 
^ for some m < 1 < M and every pair of states u, v. After 



4c ( — I I \/ — max{AT, A*j.} + T 



steps a collision occurs with probability at least 1 — e ^, for any c > 0. 

Proof. First recall the standard second moment bound: using Cauchy-Schwarz, we have that 

E[S] = E[Sl{s>o}] < E[S']'/^E[l{s>o}]'/' 



and hence Pr[5 > 0] > E[S]'^/E[S^] . By Lemma if /3 = 2^2 max{ At, A*j.}/M then 



independent of the starting point. Hence the probability that there is no collision after k{(3\/ N+2T) 
steps is at most (1 - m? /2M'^)^ < ^-km^/^^^ ^ Taking k = 2cM'^ /m? completes the proof. □ 



Remark 3.2. Observe that if At, A^,m,M = 6(1) and T = 0{VN) then the collision time is 
0(\/iV), as in the standard Birthday Paradox. By Lemma |3.4| , it will suffice that P^ be sufficiently 
close to uniform after T = o(i//V) steps, and that P^ {u, v) = o{T''^) + for all n, v, for j < T and 
some d < 1. 



When applied to the standard Birthday Paradox equation ( |3.lD with T = 1 is 2/vln2 ~ 2.4 
times the correct number of steps required to reach probability 1/2. In the final section of the 



paper, we present an example to illustrate the need for the pre-mixing term At in Theorem 3.1 



A slight strengthening of Theorem 3.1 is also shown there, at the cost of a somewhat less intuitive 
bound. 



The proof of Theorem 3.1 relied largely on the following: 



Lemma 3.3. Under the conditions of Theorem 3.1, 



E[S]>-(^^^'^\, E[S^]<—('^^^'^\^ / ^8max{^T,^?^} 



N \ 2 y ' ' - N'^\ 2 J \ M/32 

Proof. We will repeatedly use the relation that there are {^^~^'^) choices for i,j appearing in the 
summation for S, i.e. < i and i + 2T < j < (3^fN + 2T. 
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Now to the proof. The expectation E[S] satisfies 

I3VNI3VN+2T PVN I3VN+2T 

i=0 j=i+2T i=0 j=i+2T 

because \i j >i + T then 

u u 

Similarly, Pr{Xj = Xi) < ^ when j >i + T. 
Now for EfS^]. Note that 

E E i(^.=^.} EE i(^.=^d 

j=0 j=i+2T / \jk=0 ;=fe+2r 

I3y/N I3^/N I3^/N+2T /3//V+2T 

= EE E E Prob{Xi=Xj,Xk = Xi). 

i=0 k=0 j=i+2T l=k+2T 

To evaluate this quadruple sum we break it into 3 cases. 

Case 1: Suppose \j — 1\>T. Without loss, assume I > j, so in particular I > max{i, j, k} + T. 
Then 

Proh{Xi = Xj, Xk = Xi) = Prob{Xi = Xj) Prob{Xi = Xk \ Xi = Xj) 

< Prob{Xi = Xj) mayi Prob{Xi = v \ X^^^ij^^y = u) 

< Pro6(X. = X,)-<(-j . 

The first inequality is because {Xt} is a Markov chain and so given Xi,Xj,Xk the walk at any 
time t > max{i, J, k} depends only on the state -^^maxfij.A;}- 

Case 2: Suppose \i — k\>T and |j — ^| <T. Without loss, assume i < k. li j < I then 
Prob{Xi = Xj, Xk = Xi) = Prob{Xi = u) P^-\u, v)P^-^{y, u)P^-^{u, v) 

u,v 

u V ^ ^ 

because k > i + T, j > k + T, and P^{u,v) = 1 for any t because P and hence also P* 
is a stochastic matrix. If, instead, I < j then essentially the same argument works, but with 
J2v u) = 1 because P and hence also P* is doubly-stochastic. 



PVN + 2 



m 
N 
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Case 3: Finally, consider those terms with \j — l\ < T and |i — A;| < T. Without loss, assume 
i < k. li I < j then 

Prob{Xi = Xj, Xk = Xi) = Prob{Xi = u)P^-\u, v)P^-^{v, v)P^-\v, u) 

u,v 

U V 

The sum over elements with i < k < i + T and I < j < I + T is upper bounded as follows: 

f3\/N i+T f5\/N+2T l+T 

E E E E ^™^(^^ = = 

1=0 k=i l=k+2T j=l 

^ ]^E E "^f^E E ^'"^(^'-) E ^'~'(^'^) (3.2) 

i=0 i=i+2T V ke[i,i+T) jell,l+T) 

- iV E E max^Gr(tx,t')GT(^^,w) 

^ PVni3Vn+2T I 



^ ^E E max 

i=0 l=i+2T y V V 



M (PVN + 2 



The case when j < I gives the same bound, but with the observation that j > k + T and with 
At instead of ^/At A^. 

Putting together these various cases we get that 

The C^^^^^) term is the total number of values of i,j,k,l appearing in the sum for £[3"^], and 
hence also an upper bound on the number of values in Cases 1 and 2. Along with the relation 
^/3v^+2^ > ^ this simplifies to complete the proof. □ 

To upper bound At and A^ it suffices to show that the maximum probability of being at a 
vertex decreases quickly. 

Lemma 3.4. // a finite ergodic Markov chain has uniform stationary distribution then 

T 

At, < 2 y (j + 1) maxP^ (u, v) . 

j=0 
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Proof. If u is such that equahty occurs in the definition of At, then 



T T 

At = ^GUu,v) = ^^^P\u,v)pHu,v) 

V i=0 j=0 V 

T j 

< 2^ J^maxPJ (n,y)^P^(^x,t;) 

j=0 1=0 V 
T 

< 2 V(j + l)maxP-' (u,y). 

^— ' y 

3=0 

The same bound holds for A^, which plays the role of At for the reversed chain, because the upper 
bound just shown is the same for the chain and its reversal. □ 

In particular, suppose P^{u,v) < c + for every u, ?; G and some c, d G [0, 1). The sum 

< (l + o(l))— + 



2 (1 - (i)2 ' 

and so if Pi{u, v) < o{T-'^) + for every u,v£Q. then At, A*j, = 

4 Convergence of the Rho walk 

Let us now turn our attention to the Pollard Rho walk for discrete logarithm. To apply the collision 
time result we will first show that max^ -yfz^^ P^(^u,v^ decreases quickly in 5 so that Lemma |3.4| 
may be used. We then find T such that P'^{u,v) « for every u,v ^ However, instead of 
studying the Rho walk directly, most of the work will instead involve a "block walk" in which only 
a certain subset of the states visited by the Rho walk are considered. 

Definition 4.1. Let us refer to the three types of moves that the Pollard Rho random walk makes, 
namely (n, u + 1), {u, u + x), and (n, 2u), as moves of Type 1, Type 2, and Type 3, respectively. In 
general, let the random walk be denoted by Yq,Yi,Y2, . . . , with Yt indicating the position of the 
walk (modulo A^) at time t > 0. Let Ti be the first time that the walk makes a move of Type 3. 
Let bi = 1ti-i — Ytq (i.e., the ground covered, modulo A^, only using consecutive moves of Types 
1 and 2.) More generally, let Tj be the first time, since Tj-i, that a move of Type 3 happens and 
set bi = Yt,-i - Yt^^^. Then the block walk B is the walk Xs = Yt, = 2^yTo + '^^21=1 '^''~%- 

By combining our Birthday Paradox for Markov chains with several lemmas to be shown in this 
section we obtain the main result of the paper: 

Theorem 4.2. For every choice of starting state, the expected number of steps required for the 
Pollard Rho algorithm for discrete logarithm on a group G to have a collision is at most 

(1 + o(l)) I2V19 < (1 + 0(1)) 52.5 ^\G\ . 
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Proof. We work with Theorem 5.2, shown in the Concluding Remarks, because this gives a some- 



what sharper bound. Alternatively, Theorem |3.1| and Lemma can be applied nearly identically 
to get the slightly weaker (1 + o(1))72y^. 

3/2 , /2> 



First consider steps of the block walk. Lemma O implies that B''(u, v) < -^^^ + (|) , for s > 



and for all u, v. Hence, by equation (^!^), if T = o(v^) then 1 + Yl'j=i B-' (^t) v) < 19 + o(l). By 
Remark after 2(log2 N) (log log N + log ^) steps, we have M < 1 + e and m> 1 — e. Hence, if we 
set e = l/N"^ then T = (4 + o(l)) (logg iV)^ with m = 1 - o(l/A^) and M = 1 + o(l/A^). Plugging 
this into Theorem a collision fails to occur in 



N 



k I 2, (1 + Vsj maxBJ(u,t;) ) — + 2r = (1 + o(l)) 2\/l9 A:\/iV 

A \ u,v ) M ] 

\ i=i / 

steps with probability at most (1 — 5)^ where 5 = m^/2M^ = (1 — o(l))/2. 

Now let us return to the Rho walk. Recall that Tj denotes the number of Rho steps required 
for i block steps. The difference Tj+i — Tj is an i.i.d. random variable with the same distribution 
as Ti — Tq. Hence, '\i i > j then E^Ti — Tj\ = {i — j) E[Ti — To] = 3(i — j). In particular, if we let 
r = (1 + o(l)) 2^/ 19 A^, let R denote the number of Rho steps before a collision, and let B denote 
the number of block steps before a collision, then 

OD 

E[R] < ^Pr[B > fcr]^[r(fc+i), -Tfc, I 5 > fcr] 

k=0 

oo 

= J2Pr[B>kr]E[T^k+i)r-Tkr] 

k=0 

< f2(^±^\\r = {l + o{l))12VT9^. 
k=0 ^ ^ 



□ 



Now to the first lemma required for the collision bound, a proof that B^{u,v) decreases quickly 
for the block walk: 

Lemma 4.3. If s < [log2 N\ then for every u,v € "Ln the block walk satisfies 

B^{u,v)<{2/3r. 

Ifs > [log^Nl then B'{u,v) < .^{'^ „ < 

Proof. We start with a weaker, but somewhat more intuitive, proof of a bound on B^(u, v) and then 
improve it to obtain the result of the lemma. The key idea here will be to separate out a portion 
of the Markov chain which is tree-like with some large depth L, namely the moves induced solely 
by 6i = and bi = 1 moves. Because of the high depth of the tree, the walk spreads out for the 
first L steps, and hence the probability of being at a vertex also decreases quickly. 
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Let S = {i£ [I... s] : bi£ {0, 1}} and z = ^.^^ 2'-%. Then Yt, = 2'YTo + 2z + 2J2i^g 2' 
Hence, choosing = u, Yt^ = v, we may write 



B'{u,v) = ^^ProbiS) Prob{z\ S)Probl'^2 
s zeZjv Vies 

< Prob{S) max Prob [ ^ 2'-%i = w \ 



v/2-2'~\- z\ z,S 



and so for a fixed choice of 5, we can ignore what happens on S"^. 

Each w G [0 ... A/^— 1] has a unique binary expansion, and so if s < [log2 A^J then modulo N each 
w can still be written in at most one way as an s bit string. For the block walk, Prob{bi = 0) > 1/3 
and Prob{bi = 1) > 1/9, and so max{ Pro6(6i = | i G S), Pro6(6i = 1 | i G 5)} < |. It follows 
that 

max Prob I V 2^-'6,- = w | 5 ) < (8/9)1^1 , (4.3) 
Kits J 

using independence of the 6j's. Hence, 

s 

B'(n, v) < Prob{S) (8/9)1^1 = Prob{\S\ = r) (8/9)" 



r=0 



9/ V99 9 / VSl 



The second inequality was because (8/9)l'^l is decreasing in |5| and so underestimating |S| by 
assuming Prob{i £ S) = 4/9 will only increase the upper bound on B'^{u,v). 

In order to improve on this, we will shortly re-define S (namely, events {i £ S},{i S}) and 
auxiliary variables Cj, using the steps of the Rho walk. Also note that the block walk is induced by 
a Rho walk, so we may assume that the bi were constructed by a series of steps of the Rho walk. 
With probability 1/4 set i £ S and q = 0, otherwise if the first step is of Type 1 then set i £ S 
and Ci = 1, while if the first step is of Type 3 then put i ^ S and Cj = 0, and finally if the first step 
is of Type 2, then again repeat the above decision making process, using the subsequent steps of 
the walk. Note that the above construction can be summarized as consisting of one of four equally 
likely outcomes (at each time), where the last three outcomes depend on the type of the step that 
the Rho walk takes; indeed each of these three outcomes happens with probability | x = 1/4; 
finally, a Type 2 step forces us to reiterate the four- way decision making process. 

Then Pr{i £ S) = E«^o(l/4)' (1/2) = 2/3. Also observe that Pr{ci = 0\i £ S) = Pr{ci = l\i £ 
S), and that Pr{bi — Ci = x \ i £ S, Ci = 0) = Pr{bi — Ci = x \ i £ S, Ci = 1). Hence the steps done 
earlier (leading to the weaker bound) carry through with z = 2*~*(6, — Cj) and with ^jg^ 2*~*6j 
replaced by YlieS 2*~*Cj- In ( [1.3D replace (8/9)l'^l by (l/2)l'^l, and in showing the final upper bound 
on E'{u,v) replace 4/9 by 2/3. This leads to the bound B'{u,v) < (2/3)^ 

Finally, when s > [log2 A^J , simply apply the preceding argument to S" = S H [1 . . . [log2 A^J]. 
Alternately, note that when s > [log2 A^J then B'^{u,v) < max^ 

BLiog2A'J(-u,u;), for every doubly- 
stochastic Markov chain B. □ 
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In order to use the Birthday Paradox on the Rho walk it suffices to show a mixing time bound 
of r = 0{VN) (to guarantee that At,A^ = 0{1)). In g, | sufficiently strong bounds are shown 
in several ways, including by use of characters and quadratic forms, canonical paths, or Fourier 
analysis. We give here the Fourier approach, as it establishes the sharpest mixing bounds. 

To bound mixing time of the block walk, it suffices to show that for large enough s, the distri- 
bution Us of 

Zs = 2'~^hi + 2''%2 + --- + hs 

is close to the uniform distribution U , because then the distribution of Xg = 2*ljjj + 2Zs will be 
close to uniform as well. More precisely, we will show that 

N-l 

N^iusU) - U{j)f < 2 ((1 +^2Ls/H)— 1 _ ^ (4.4) 

3=0 

where Vs{j) = Pr[Zs = j], ^ = 1 - and m satisfies 2""-^ < < 2^". In Remark |]5| at 

the end of the section it will be shown that this suffices to show that P" quickly approaches the 
uniform distribution. 

The proof uses the standard Fourier transform and the Plancherel identity: For any complex- 
valued function / on Zjy and oj = g^'^*/^, recall that the Fourier transform / : Z^r — > C is given by 

N-l 

/(^) = f{j)i and the Plancherel identity asserts that 

j=0 

7V-1 N-l 
3=0 i=0 

For the distribution /u of a Z^r- valued random variable X, its Fourier transform is 

N-l 
j=0 

Thus, for the distributions ^i,/i2 of two independent random variables Yi^Y2, the distribution u of 
X -.= ¥1 + Y2 has the Fourier transform u = fi^fi^, since 



Generally, the distribution v of X ■.= Yi + --- + Ys with independent Yi's has the Fourier transform 
u = YVr=i Ar- Moreover, for the uniform distribution U, it is easy to check that 

' 1 ii£ = 0, 
otherwise. 

As the random variables 2^bs-r^s are independent, Ug = Y\r=ol^r, where /i^ are the distributions of 
2'^bs-r- The linearity of the Fourier transform and z^s(O) = E[l] = 1 yield 



U{i) 



if £ = 

IS-l 



Ylr=o l^ri^) otherwise. 
By Plancherel's identity, it is enough to show the following. 
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Lemma 4.4. 

^in^rWl <2((l+^2LVmJ)m-l_iy 

e=i r=0 

Proof. Let Ar be the event that bg-r = or 1. Then, 

= FT[bs-r = 0] + Pr[6,_^ = l]a;^2'" 

+ PT[Ar]E[J^''^^-^\Ar], 

and, for x := FT[bs-r = 0] and y := Pr[6s_r = 1], 

< \x + yJ^''\ + {l-x-y)\E[J^''^'-^\Ar]\ 

< \x + yuj \ + I — X — y. 



Notice that 



If cos < 0, then 



\x + yJ''f = {x + ycos^f + y'sm'^ 
= x'^ + y'^ + 2xycos^. 



\firie)\ < {x^ + y^f/^ + l-x-y 
= l-(a; + y-(x2+y2)i/2) 



Since x = Pr[bs-r = 0] > 1/3 and y = Pr[bs-r = 1] > 1/9, it is easy to see that x + y—{x'^ + y^)^/^ 
has its minimum when x = 1/3 and y = 1/9. (For both partial derivatives are positive.) Hence, 

|Ar(^)| < € = 1 - provided cos ^ < 0. 

If cos > 0, we use the trivial bound flrii) = E[lo^'^"'''-] < 1. 



N 

For £=1, AT - 1, let (t)s{£) be the number of r = 0, s-1 such that cos < 0. Then 



niArWI<C'^^^'^- (4.5) 



r=0 

To estimate (l>s{£)-, we consider the binary expansion of 

£/N •ctf,iQ'£,2 ' ' ' ^e,s ' ' ' 1 

G {0,1} with a^^ = infinitely often. Hence, £/N = Yl'^i'^~^'^e r- "^^^ fractional part of 
£2^/N may be written 

{£27iV} = .a,,^,a,^^^^ ■ ■ ■ a,^ ■■■ . 

Notice that cos ^^jf- < if the fractional part of IT" /N is (inclusively) between 1/4 and 3/4, which 
follows if a^_^j / Thus, 4)s{£) is at least as large as the number of alterations in the sequence 

(q^ , Q;^ 2 ; ^i,s+l )■ 
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We now take m such that 2™" ^ < < 2"^. Observe that, for £ = 1,...,A^ — 1, the subsequences 
a{€j := (a^ J , 2' ■••) m) length m are pairwise distinct: If a(£) = a[l') for some I < 
then is less than X]r>m+i — which is impossible as < 2"^. Similarly, for fixed r 

and £ = 1,...,A/' — 1, all subsequences a(^;r) := (a^ , ^^j, ^^^) are pairwise distinct. In 
particular, for fixed r with r = 0,..., [s/mj — 1, all subsequences a{£;rm), £ = 1,...,N — 1, are 
pairwise distinct. Since the fractional part {^^-^} = -ol^ ^^^-^oi^ ^^^^ ■ ■ ■ must be the same as ^ for 
some £! in the range 1 < / < — 1, there is a unique permutation 0^ of 1, ...N — 1 such that 
a{i;rm) = a{ar{£))- Writing \a{ar{i))\j^ for the number of alternations in a{ar{i)), we have 

[s I m\ — 1 

u^)> E i«(^'-w)Ia> 

r=0 



where is the identity. Therefore, (4^) gives 



£=1 r=0 

Using 



_|_ ^2 

^ ^min{z,a;'}+min{?/,j;'} _j_ ^max{x,a''}+max{3/,j/'} 



inductively, the above upper bound may be maximized when all (T^'s are the identity, i.e., 

i=\ r=0 £=1 

Note that < IjN < 1 - implies that a{l) is neither (0, ...,0) nor (both are of 

length m). This means that all a{€) have at least one alternation. Since a(£)'s are pairwise distinct, 

l=\ a:|a|^>0 

where the sum is taken over all sequences a G {0, 1}™ with |a|^ > 0. 
Let -ff(-z) be the number of a's with exactly z alterations. Then 



H{z) = 2 



and hence 



m — 1 

z 

m—l 



/ 1 \ 

^=1 V ^ y 



«:|q|^>0 



□ 
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Remark 4.5. To show is sufficiently close to uniform distribution U, we use Cauchy-Schwartz: 



P^'{u,v) - U{v) 



U{v) 

(P^(n, w) - U{w)) {P'{w, v) - U{v)) 



U{v) 



< 



w 



P^{u, w) 
U{w) 

P'{u,w) 



U{w) 



P*'{v,w) 
U{w) 



P*'(v,x) 



U{x) 



For the "block walk" the first sum after the inequality is equal to the quantity upper bounded in 
equation ([4.4|), while the second is the same quantity but for the time-reversed walk P*{u,v) = 
U{v)P{v,u)/U{u). To bound the mixing time of the reversed walk let b* denote the sum of steps 
taken by P* between the {i — l)-st and ith time that a u — > ti/2 transition is chosen (i.e. consider 
block steps for the reversed walk), let Z* = 2"*"'"^ + ■ ■ ■ + b*g and let bi = —b*. Then 

VT[-r-^Z:=j\ = Pr[6i + 262 + ••• + 2^-16, = j] 

because the bi are independent random variables from the same distribution as the blocks of P. It 
follows from ([4. 41) that 



1 



Pr[^2s = 3] 



U{j) 



<2f(i + e^L'^/™j)™-i-i) , 



and so after 2s ~ m log^ < 2m log ^^'"^ blocks it follows that < P'^'^{u,v) < for 
every u,v £ Zj\f. 

Remark 4.6. For the reader interested in applying these methods to show a Birthday Paradox for 
other problems, it is worth noting that a Fourier approach can also be used to show that P*(n, f) 
decreases quickly, and so At, AI^ = 0(1). 

For the distribution of Xg the Plancherel identity gives 



N-l 



N-1 



N-l s-1 



maxPr[X, = v] = maxiysivf < ^ M^f = ^ E " ^ ^ | H'^-^^) 



For ^ = 0, 1, iV - 1, let (psi^) be the number of r = 0, s-1 such that cos < 0. Then 



s-l 

n 1/^^ 



r=0 



Take m such that 2"* ^ < < 2™. Then, for s < m — 1 and any (fixed) binary sequence ai, 
(that is, aj G {0, 1}), there are at most [2~'*A^] ^'s such that the binary expansion of £/N up to s 
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digits is .ai, ...,as. Since there are at most 2e ^(^)2* binary sequences with fewer than (s — l)/3 
alterations, 

r=0 

except for at most 2e~'^('')2* [2~''iV] = 2e~'^('')iV values oil. Using a trivial bound n.r=o lAr(^)| < 1 
for such £'s, we have 

:Pr[X, = = 2e~^(^) + 2e-^(") = le'^^'l 



max J 

V 



If s > m — 1, then nr=o < Tl^o^ lAr-WI implies that 

maxPr[X, = v] = 2e-^(™~i) = 0{N'^^^^). 

V 

5 Concluding Remarks 

As promised in Section |3|, we now present an example that illustrates the need for the pre-mixing 
term At in Theorem |3. 



Example 5.1. Consider the random walk on Z^v which transitions from u ^ u + 1 with probability 
1 — , and with probability 1/y/N transitions u ^ v for a uniformly random choice of v. 

Heuristically the walk proceeds as n — > + 1 for ~ \fN steps, then randomizes, then proceeds 
as u — > li + 1 for another ^/N steps. This effectively splits the state space into ^/N blocks of 
size about ^fN each, so by the standard Birthday Paradox it should require about '•/n^ of these 
randomizations before a collision will occur. In short, about N^^^ steps in total. 

To see the need for the pre-mixing term, observe that Tg ~ \/iV log 2 while if — 



'A^ log(2(A — 1)) then we may take m = 1/2 and M = 3/2 in Theorem 3.1. So, whether Tg or 
Too are considered, it will be insufficient to take 0{T + ^/N) steps. However, the number At of 
collisions between two independent copies of this walk is about ^/N, since once a randomization 
step occurs then the two independent walks are unlikely to collide anytime soon. Our collision time 
bound says that 0{N^^'^) steps will suffice, which is the correct bound. 

A proper analysis shows that ^—^-^N^/^ steps are necessary to have a collision with probability 

1/2. Conversely, when T = ^/Nlog^ N then m = 1 - o(l), M = 1 + o(l) and At, A^ < //V, 
so by equation (^), (2 + o(l))A^^/^ steps are sufficient to have a collision with probability at least 
1/2. Our upper bound is thus off by at most a factor of 2\/2 2.8. 

Also, the slight sharpening that was used to derive our improved bound for the Pollard Rho 
walk: 



Theorem 5.2 (Improved Birthday paradox). Consider a finite ergodic Markov chain with uniform 



stationary distribution on a state space of N vertices. Let T be such that ^ < P'^{u,v) < for 



some m < 1 < M and every pair of states u, v. After 



2c 



N 



steps a collision occurs with probability at least 1 — ( 1 — ) , independent of the starting state. 
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Proof. We give only the steps that differ from before. First, in equation (|3.2[) , note that the triple 
sum after max„ can be re-written as 

2(r-i) 

E E E^"(^'^)^''(^'^)^ E (7 + l)^'"(n,n) 

oe[o,r)/3e[o,T) v 7=0 



and so the original quadruple sum reduces to ^{^^~^^) max^ Yl^^=o ^''(^ + u) . 

For the case when i < k and j < I proceed similarly, then reduce as in Lemma |3.4| to obtain the 
upper bound 



ivl 2 ) EEE^ (^'^)^ (^'^) ^ ivl 2 1 E (27-1) max 



a=l 13=1 V ^ ^ 7=1 

Adding these two expressions gives an expression of at most 

2T 



— 2 J I l + E37maxPT(n, 



The remaining two cases will add to the same bound, so effectively this replaces a 4 inax{AT, A"^} 
in the original theorem with the expression 2^1 + max„ Yl"^! ^7 niax„ P^{u, v)^ . □ 

To simplify, note that if max^^^ (n, v) < c + then 

2T 2T 2T 

l + y^3jmaxP^(u,v) < 1 + 3(i Vjd^-^ + 3c 

Z — / u^^, Z — / Z — / 

- 1+ (1^ + ^^^^^^ + ^)- (^-^^ 
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